Skip to content

Collaborative Incident Response platform

License

Notifications You must be signed in to change notification settings

enduirluke/iris-web

 
 

Repository files navigation

Incident Response Investigation System
Current Version v2.0.0-beta-1

IRIS

License: LGPL v3
Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations.

demo_timeline

Table of contents

Getting started

It is divided in two main parts, IrisWeb and IrisModules.

  • IrisWeb is the web application which contains the core of Iris (web interface, database management, etc).
  • IrisModules are extensions of the core that allow third parties to process data via Iris (eg enrich IOCs with MISP and VT, upload and injection of EVTX into Splunk).

IrisWeb can work without any modules though defaults ones are preinstalled. Head to Manage > Modules in the UI to configure and enable them.

Running Iris

To ease the installation and upgrades, Iris is shipped in Docker containers. Thanks to Docker compose, it can be ready in a few minutes.

#  Clone the iris-web repository
git clone https://github.com/dfir-iris/iris-web.git
cd iris-web

# Checkout to the last tagged version 
git checkout v1.4.5

# Copy the environment file 
cp .env.model .env
# [... optionally, do some configuration as specified in section below ...]

# Build the dockers
docker-compose build

# Run IRIS 
docker-compose up

Iris shall be available on the host interface, port 4433, protocol HTTPS - https://<your_instance_ip>:4433.
By default, an administrator account is created. The password is printed in stdout the very first time Iris is started. It won't be printed anymore after that.
WARNING :: post_init :: create_safe_admin :: >>> can be searched in the logs of the webapp docker to find the password.
The initial password can be set via the configuration.

Iris is split on 5 Docker services, each with a different role.

  • app: The core, including web server, DB management, module management etc.
  • db: A PostgresSQL database
  • RabbitMQ: A RabbitMQ engine to handle jobs queuing and processing
  • worker: Jobs handler relying on RabbitMQ
  • nginx: A NGINX reverse proxy

Configuration

There are three different options for configuring the settings and credentials: Azure Key Vault, Environment Variables and Configuration Files. This is also the order of priority, if a settings is not set it will fall back on the next option. For all available configuration options see CONFIGURATION.md.

Versioning

Starting from version 2.0.0, Iris is following the Semantic Versioning 2.0 guidelines.
The code ready for production is always tagged with a version number. alpha and beta versions are not production-ready.

Do not use the master branch in production.

Showcase

For a more comprehensive overview of the case features, you can head to tutorials, we've put some videos there.

Documentation

A comprehensive documentation is available on docs.dfir-iris.org.

Upgrades

Please read the release notes when upgrading versions. Most of the time the migrations are handled automatically, but some changes might require some manual labor depending on the version.

API

The API reference is available in the documentation or documentation repository.

Help

You can reach us on Discord or by mail if you have any question, issue or idea!
We are also on Twitter and Matrix.

Considerations

Iris is still in its early stage. It can already be used in production, but please set backups of the database and DO NOT expose the interface on the Internet. We highly recommend using a private dedicated and secured network.

License

The contents of this repository is available under LGPL3 license.

About

Collaborative Incident Response platform

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 86.3%
  • Python 5.2%
  • CSS 3.5%
  • HTML 3.0%
  • SCSS 2.0%
  • Dockerfile 0.0%